Thanks for the reply.
vrf30 and vrf40 put in the ip/route are indeed the vrf created in ip/vrf/add
Adding vrfXX instead of the interface like ether2 or 3 is a practice mentioned in Mikrotik manual for "[url https://help.mikrotik.com/docs/pages/vi ... eId=328206]Static VRF-Lite Connected route leaking[/url]". I could easily change the configuration but:
- If I specify the interface like gateway=ether2@vrf30, it behaves in the exact same way and can ping the un-NATed IP like 10.2.40.10 (if these IP is set on the VirtPC)
- If I specify the gateway address I get an inactive route on main losing the intermediate gateway
Here's an example:In no way I can reach the VirtPC on their native IP (i.e. 192.168.1.10) of course, after setting the virtPC on such IP.
I've tried applying dstnat and srcnat based on connection marking but this still doesn't work.
Here's the latest setup which, as before, works only on "non overlapping" and does not work with address translation to the local native IP of the device:
vrf30 and vrf40 put in the ip/route are indeed the vrf created in ip/vrf/add
Adding vrfXX instead of the interface like ether2 or 3 is a practice mentioned in Mikrotik manual for "[url https://help.mikrotik.com/docs/pages/vi ... eId=328206]Static VRF-Lite Connected route leaking[/url]". I could easily change the configuration but:
- If I specify the interface like gateway=ether2@vrf30, it behaves in the exact same way and can ping the un-NATed IP like 10.2.40.10 (if these IP is set on the VirtPC)
- If I specify the gateway address I get an inactive route on main losing the intermediate gateway
Here's an example:
Code:
[admin@MikroTik] > ip route/pr detail Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - >H - hw-offloaded; + - ecmp DAc dst-address=10.2.4.0/24 routing-table=main gateway=ether1 immediate-gw=ether1 distance=0 scope=10 suppress-hw-offload=no local-address=10.2.4.1%ether1 0 IsH dst-address=10.2.30.0/24 routing-table=main pref-src="" gateway=10.2.30.1@vrf30 immediate-gw="" distance=1 scope=30 target-scope=10 suppress-hw-offload=no 1 As dst-address=10.2.40.0/24 routing-table=main pref-src="" gateway=ether3@vrf40 immediate-gw=ether3 distance=1 scope=30 target-scope=10 suppress-hw-offload=no DAc dst-address=10.2.40.0/24 routing-table=vrf40 gateway=ether3@vrf40 immediate-gw=ether3 distance=0 scope=10 suppress-hw-offload=no local-address=10.2.40.1%ether3@vrf40 DAc dst-address=10.2.30.0/24 routing-table=vrf30 gateway=ether2@vrf30 immediate-gw=ether2 distance=0 scope=10 suppress-hw-offload=no local-address=10.2.30.1%ether2@vrf30 I've tried applying dstnat and srcnat based on connection marking but this still doesn't work.
Here's the latest setup which, as before, works only on "non overlapping" and does not work with address translation to the local native IP of the device:
Code:
/ip vrfadd interfaces=ether2 name=vrf30add interfaces=ether3 name=vrf40/ip addressadd address=10.2.4.1/24 interface=ether1 network=10.2.4.0add address=10.2.30.1/24 interface=ether2 network=10.2.30.0add address=10.2.40.1/24 interface=ether3 network=10.2.40.0add address=192.168.1.1/24 interface=ether2 network=192.168.1.0/ip firewall mangleadd action=mark-connection chain=prerouting connection-state=new dst-address=\ 10.2.30.0/24 in-interface=ether1 new-connection-mark=from-main-to-vrf30add action=mark-routing chain=prerouting connection-mark=from-main-to-vrf30 \ in-interface=vrf30 new-routing-mark=main passthrough=noadd action=mark-connection chain=prerouting in-interface=vrf30 \ new-connection-mark=from-vfr30 passthrough=no src-address=192.168.1.0/24add action=mark-connection chain=prerouting connection-state=new dst-address=\ 10.2.40.0/24 in-interface=ether1 new-connection-mark=from-main-to-vrf40add action=mark-routing chain=prerouting connection-mark=from-main-to-vrf40 \ in-interface=vrf40 new-routing-mark=main passthrough=noadd action=mark-connection chain=prerouting in-interface=vrf40 \ new-connection-mark=from-vfr40 passthrough=no src-address=192.168.1.0/24/ip firewall natadd action=netmap chain=dstnat connection-mark=from-main-to-vrf30 \ dst-address=10.2.30.10 to-addresses=192.168.1.10add action=netmap chain=srcnat connection-mark=from-vfr30 src-address=\ 192.168.1.10 to-addresses=10.2.30.10/ip routeadd dst-address=10.2.30.0/24 gateway=ether2@vrf30add dst-address=10.2.40.0/24 gateway=ether3@vrf40Statistics: Posted by alexioma — Thu Apr 04, 2024 1:07 am